Skip to content

Commit

Permalink
MsCorePkg/SecureBootKeyStoreLib: Add Library implementation (#377)
Browse files Browse the repository at this point in the history
## Description

Adds SecureBootKeyStoreLib which provides secureboot key store options
by consuming fixed at build PCDs that represent the Pk, Db, 3PDb, Kek,
and Dbx.

- [x] Impacts functionality?
- Adds 5 new PCDs to represent the Pk, Db, 3PDb, Kek, and Dbx, which are
consumed by SedcureBootKeyStoreLibOem when configuring SecureBoot.
- [ ] Impacts security?
- **Security** - Does the change have a direct security impact on an
application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a
break
    in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo,
call
    a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
  - **Tests** - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation
additions
    outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to
documentation
    on an a separate Web page, ...

## How This Was Tested

Verified secureboot is properly enabled on Qemu35Pkg for Microsoft and
Microsoft 3rd party.

## Integration Instructions

Generate the following PCDs for your platform DSC:
1. gOemPkgTokenSpaceGuid.PcdDefaultKek
2. gOemPkgTokenSpaceGuid.PcdDefaultDb
3. gOemPkgTokenSpaceGuid.PcdDefault3PDb
4. gOemPkgTokenSpaceGuid.PcdDefaultDbx
5. gOemPkgTokenSpaceGuid.PcdDefaultPk

It is highly suggested, but not required, that each pcd is generated by
running BaseTools `BinToPcd` over the binary blobs created in
[secureboot_objects](https://github.com/microsoft/secureboot_objects),
then including them in the platform's DSC file.

---------

Co-authored-by: Michael Kubacki <[email protected]>
  • Loading branch information
Javagedes and makubacki authored Dec 5, 2023
1 parent b814597 commit 021c162
Show file tree
Hide file tree
Showing 4 changed files with 131 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
## @file - BaseSecureBootKeyStoreLib.inf
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
#

[Defines]
INF_VERSION = 0x00010005
BASE_NAME = BaseSecureBootKeyStoreLib
FILE_GUID = 02EEF9DA-5557-4090-BFF5-E07EF0344805
VERSION_STRING = 1.0
MODULE_TYPE = BASE
LIBRARY_CLASS = SecureBootKeyStoreLib

#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 AARCH64
#

[Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
MsCorePkg/MsCorePkg.dec

[Sources]
SecureBootKeyStoreLib.c

[LibraryClasses]
PcdLib

[FixedPcd]
gMsCorePkgTokenSpaceGuid.PcdDefaultKek # CONSUMES
gMsCorePkgTokenSpaceGuid.PcdDefaultDb # CONSUMES
gMsCorePkgTokenSpaceGuid.PcdDefault3PDb # CONSUMES
gMsCorePkgTokenSpaceGuid.PcdDefaultDbx # CONSUMES
gMsCorePkgTokenSpaceGuid.PcdDefaultPk # CONSUMES
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/** @file SecureBootKeyStoreLib.c
Copyright (C) Microsoft Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/

#include <Uefi.h>
#include <UefiSecureBoot.h>

#include <Guid/ImageAuthentication.h>

#include <Library/SecureBootVariableLib.h>
#include <Library/PcdLib.h>

SECURE_BOOT_PAYLOAD_INFO mSecureBootPayload[] = {
{
.SecureBootKeyName = L"Microsoft Only",
.KekPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultKek),
.KekSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultKek),
.DbPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDb),
.DbSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDb),
.DbxPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDbx),
.DbxSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDbx),
.PkPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultPk),
.PkSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultPk),
.DbtPtr = NULL,
.DbtSize = 0,
},
{
.SecureBootKeyName = L"Microsoft Plus 3rd Party",
.KekPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultKek),
.KekSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultKek),
.DbPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefault3PDb),
.DbSize = (CONST UINT32)FixedPcdGetSize (PcdDefault3PDb),
.DbxPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDbx),
.DbxSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDbx),
.PkPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultPk),
.PkSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultPk),
.DbtPtr = NULL,
.DbtSize = 0,
}
};

/**
Interface to fetch platform Secure Boot Certificates, each payload
corresponds to a designated set of db, dbx, dbt, KEK, PK.
@param[in] Keys Pointer to hold the returned sets of keys. The
returned buffer will be treated as CONST and
permanent pointer. The consumer will NOT free
the buffer after use.
@param[in] KeyCount The number of sets available in the returned Keys.
@retval EFI_SUCCESS The Keys are properly fetched.
@retval EFI_INVALID_PARAMETER Inputs have NULL pointers.
**/
EFI_STATUS
EFIAPI
GetPlatformKeyStore (
OUT SECURE_BOOT_PAYLOAD_INFO **Keys,
OUT UINT8 *KeyCount
)
{
if ((Keys == NULL) || (KeyCount == NULL)) {
return EFI_INVALID_PARAMETER;
}

*Keys = mSecureBootPayload;
*KeyCount = ARRAY_SIZE (mSecureBootPayload);

return EFI_SUCCESS;
}
20 changes: 20 additions & 0 deletions MsCorePkg/MsCorePkg.dec
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,26 @@
## Default: 1024 * 4KiB = 4MB
gMsCorePkgTokenSpaceGuid.PcdDebugFileLoggerAllocatedPages|1024|UINT32|0x4000001C

## Pcd value representing the Pk for a platform
# Empty by default. Platform required to set this value to enable setting default secureboot variables.
gMsCorePkgTokenSpaceGuid.PcdDefaultPk |{ 0x0 }|VOID*|0x4000001D

## Pcd value representing the Db for a platform
# Empty by default. Platform required to set this value to enable setting default secureboot variables.
gMsCorePkgTokenSpaceGuid.PcdDefaultDb |{ 0x0 }|VOID*|0x4000001E

## Pcd value representing the 3PDb for a platform
# Empty by default. Platform required to set this value to enable setting default secureboot variables.
gMsCorePkgTokenSpaceGuid.PcdDefault3PDb | { 0x0 }|VOID*|0x4000001F

## Pcd value representing the Dbx for a platform
# Empty by default. Platform required to set this value to enable setting default secureboot variables.
gMsCorePkgTokenSpaceGuid.PcdDefaultDbx | { 0x0 }|VOID*|0x40000020

## Pcd value representing the Kek for a platform
# Empty by default. Platform required to set this value to enable setting default secureboot variables.
gMsCorePkgTokenSpaceGuid.PcdDefaultKek | { 0x0 }|VOID*|0x40000021

[PcdsDynamic, PcdsDynamicEx]
gMsCorePkgTokenSpaceGuid.PcdDeviceStateBitmask|0x00000000|UINT32|0x00010178

Expand Down
1 change: 1 addition & 0 deletions MsCorePkg/MsCorePkg.dsc
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@
MsCorePkg/Library/DxeIsCapsuleSupportedLib/DxeIsCapsuleSupportedLib.inf
MsCorePkg/Library/BaseIsCapsuleSupportedLibNull/BaseIsCapsuleSupportedLibNull.inf
MsCorePkg/Library/SecureBootKeyStoreLibNull/SecureBootKeyStoreLibNull.inf
MsCorePkg/Library/BaseSecureBootKeyStoreLib/BaseSecureBootKeyStoreLib.inf
MsCorePkg/Library/MuSecureBootKeySelectorLib/MuSecureBootKeySelectorLib.inf
MsCorePkg/HelloWorldRustDxe/HelloWorldRustDxe.inf

Expand Down

0 comments on commit 021c162

Please sign in to comment.